Le 24/06/2015 20:02, Gerald B. Cox a écrit :
but I don't believe mandating
commit hash in all circumstances is the way to do it.
I think current Guideline is "clear" and doesn't need to be changed.
Please explain how you can check the sources used to build a package is
the correct one ?
When upstream provides a tarball (usually because they run "make dist"
to provide a usable archive), if they regenerate this tarball and
reupload it, the checksum will change.
With TAG auto-generated archives, the checksum is not reliable.
As explained in the Guidelines :
"Keep in mind that github tarballs are generated on-demand,
so their modification dates will vary and cause checksum tests
to fail."
So again
"For a number of reasons (immutability, availability,
uniqueness), you must use the full commit revision
hash when referring to the sources."
Yes, there is a number of packages which doesn't respect this Guidelines
and use tag/release archive (probably old packages). But there is also a
number of packages which respect it.
And it is the role of the reviewer to check and explain this.
Nothing complex. Enough examples in the wiki/repo to look at.
Remi.